6

I understand that Firewire 400/800 and Thunderbolt have DMA enabled, and a malicious hardware device can easily read and manipulate system memory at will. If I disable the software drivers for these devices, would that prevent such reading/writing? Or is the only way to protect against DMA by desoldering the controller or injecting epoxy in the ports?

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
directedition
  • 163
  • 1
  • 4
  • Is this really a realistic threat in your environment? Do you really expect people to have the ability to be able to attach custom hardware to your computer in order to perform an attack? If they have physical access to your computer, why wouldn't they simply perform many of the easier attacks? – Zoredache Jul 10 '12 at 16:36
  • 3
    This may, in fact, be the easier attack. If you are operating customs at the border of a nation with repressive data privacy laws, a single engineer can make a device that unlocks locked screens on laptops and retrieves encryption keys from RAM with a DMA attack. It is not uncommon when traveling abroad that you may be separated from your laptop for long periods of time at customs, and you don't know what is being done it. So it best to err on the side of caution. This also requires minimal training on the part of the attacker. Simply plug and play. –  Jul 10 '12 at 17:01
  • 1
    Simply enable full-disk encryption and turn off your laptop before crossing the border? Then hope that they don't think Rubber-hose cryptanalysis is needed. If you are using full disk encryption with a strong password, and your system is off so the key isn't in memory, there really isn't anything they can do other then attack you or try to install some kind of keyboard capture device. – Zoredache Jul 10 '12 at 17:06
  • 1
    Indeed, that is a practical mitigation tactic, but it might not always be feasible for every user. Or a user may simply forget to shutdown before going through security. Being able to advise them to simply disable the ports when they go traveling would be great. But of course, such a suggestion would be reckless if the hardware controllers will still allow DMA in that circumstance. Hence the question. –  Jul 10 '12 at 17:17

2 Answers2

4

Disable both interfaces in BIOS and then password protect the BIOS configuration. Additionally, remove the drivers/modules from kernel for both. Also mind, that DMA attack is possible through ExpressCard interface that many notebooks have. One of the more drastic measures is to fill the ports with silicon gel (or similar) or unsolder them (greater chance to damage something if you are not experienced).

https://en.wikipedia.org/wiki/DMA_attack

Matrix
  • 4,028
  • 14
  • 25
  • Is there an equivalent to disabling in BIOS for the Mac? My hope is that I can advise people to protect themselves without needing make irrecoverable changes to the hardware. – directedition Jul 10 '12 at 17:58
  • 2
    Found this on the net: "The Mac does not have a BIOS to enter. The equivalent would be the Extensible Firmware Interface (EFI) to access this (which is traditionally referred to as Open Firmware hence the O and F key combination) press Command-Option-O-F keys during startup." – Matrix Jul 10 '12 at 18:07
  • 2
    Blogs and papers seem to support the assertion that EFI password will block these attacks. CF: http://www.breaknenter.org/2012/02/adventures-with-daisy-in-thunderbolt-dma-land-hacking-macs-through-the-thunderbolt-interface/ and research paper: https://freddie.witherden.org/pages/ieee-1394-forensics/ – adric Aug 28 '12 at 18:31
  • There's something called a jumper that'd like to say hi to your BIOS/EFI password :p – Thomas Aug 29 '12 at 06:42
  • 1
    @Thomas In order to reset the BIOS/EFFI password (using a jumper) you need to power cycle the system. Power cycle the system and you're into cold boot territory. The password itself is irrelevant -- it is the effect it has on the OS that matters (getting it to disable DMA). – Freddie Witherden Mar 29 '13 at 22:50
1

To avoid DMA attacks on Mac through FireWire or Thunderbolt, you just need to setup an EFI password. This will disable raw DMA access (confirmed by Apple Tech Support).

C23
  • 11
  • 1